Information Technology and Management Analysis - Case Study Example

Name Instructor’s Name Course Name and Code Date Information Technology and Management According to CSU policies, it is mandatory that Cal Poly should make sure that its information resources during cataclysmic occasion the system can still operate and can be accessed by its users. Cal Poly developed, documented, tested and maintained business continuity plan. The plan is fundamental to the running of the system since it ensures that continuance of pertinent campus systems, functions as well as services in case there is a disruption occurs on the campus operations after an emergency or disaster condition The institution’s business permanence program incorporates these standards as well as actvities: a) A regular model has been utilized in developing a dependable University’s Business Continuity Plan. The outline has been used in documenting pertinent details, for instance, critical functions, staff contact information, assets, vital records and critical function recovery procedure) within each department in the campus so that the campus can be able to recover from any disruption that is likely to occur. b) crisis actions of different units, together with requests for services and resources as well as documentation if financial impact is harmonized in at Emergency Operations Center as well as in agreement with Calpoy’s Emergency Management Plan. c) Department of Emergency Programme, Departmental Business Continuity Plan as well as Campus Emergency Management Programme are related and they provide for preparation, response as well as recovery to an emergency. d) Calpoy’s Business Continuity Plan has hush-hush info which ought to be private and confidential since when the information is shared with the public the organization can experience a number of setback in their security structure which eventually will affect credibility of information or data in Cal Poly. Each department has a task of ensuring that its information is held, developed as well as reviewed by authorized persons only. Each Vice President has a task of ensuring development, testing as well as continuation of the Continuity program that is in his allotment. Representatives of different departments have a responsibility of developing and maintaining the plan. At Cal Poly the Business Continuity Director and each Cal Poly Business Continuity Program are in charge of fundamental appraisal of its continuity plans so that there can be continuity of important functions as well as operations even after a catastrophic event has occurred. unswerving with Calpoy’s security guidelines, Calpoy’s network resources users are recommended to mull over the unwrap information which is distributed by electronic means and should not take for granted any level of confidentiality or constrained right to use information stored or generate on Calpoly’s systems. Information stored on the Calpoly’s information system is subjected to revelation. No network resource or Calpoy’s system can limit access to everyone since information can be accessed when it required by state official or education ministry. Nonetheless, Cal Poly is under an obligation to respect as well as protect private information regarding students or staff which is stored on the institutions network resources as well as information systems. In order to ensure compliance with regulations and laws, persons as well as procedures cannot gather information that can identify a person unless the information is required. The moment this information is gathered; a) The information Authority as well as individual user gathering facts can make use of rational attempts to make sure information that can reveal someone’s identity is restricted from not permitted persons. b) Information Authority as well as user’s gathering information stores information that reveals one’s identity when it is relevant as well as appropriate to function that is gathered. Cal Poly information systems can only be accessed by: appropriate legal authorities, person to who store information applies, certified Cal Poly staff who have legitimate reason which is related with Cal Poly business must modify right of entry or divulge information. Apposite and only authorized Cal poly’s personnel who adhere to the established procedures are allowed right of entry, revise or divulge information regarding persons stored on the institutions system. Cal Poly can allow it under the following circumstances: to be compliant with the applicable regulations or laws, comply with applicable CSU or Cal Poly policy, to guarantee privacy, veracity or accessibility of Calpoy’s information, act in response to genuine demands as well as request for access to Cal Poly information. When the institution’s staff accesses, discloses or adjust information regarding an entity or any activity in the institution’s network resources or information system the staff is supposed to ensure that he respects information as well as communications which are advantaged or confidential information from revelation in the institutions guiding principle. The information Authorities are always advised to consult CSU Record Access Manuals so that they can determine records that need to be availed so that the public can inspect according to the California Public Records Act. Information assurance and risk management Cal Poly staff who can access information as a result of meticulousness to stop illicit access as well as revelation of information. Altering, accessing of messages, stored up files in a different computer, explanation or another storage space mechanism is not allowed in files do not have a secret code to protect. This is only allowed when it has been allowed by user’s for the institution’s commerce oriented grounds. Nonetheless the proscription cannot not affect: when the campus is responding to subpoenas or court orders, access to publicly accessible resources, for instance, University website, allowed access of common files as well as resources on the allocated responsibilities as well as roles, right of access access of information by computer support technician, system administrator and such right to use is limited to the extent of job responsibility. The main motive for administration risk in any institute is protecting its operation as well as possessions of an organization. When an organization understands the magnitude of risks likely to occur the organization will prioritize its resources. Information security risk can be assessed through identification of threats and vulnerabilities. This is followed by determining the probability as well as impact of the risk to the information security assets. Upon identification of a risk, approaches are instituted to lessen jeopardy to the satisfactory echelon, allocate risk, shift the risk a different entity, and presume recognized risk. In Cal Poly threat are scrutinized through continuous compilation of information regarding the threat. “According to Cal Poly’s policy risk management processes it should recognize information possessions in level 1 and 2 are illustrated in the institution’s Information Classification as well as Handling Standard” (Cal Poly 25). Cal Poly undertakes intermittent assessment of the information security threat. Risk evaluation can be targeted at specific technologies, or areas in an organization. At Cal Poly risk evaluation are part of continuous risk managing procedures. They offer a foundation for prioritizing along with assortment of remediation activities and can help in monitoring the effectiveness of the institutions controls. The institutions’ Security Risk Self-Assessments has processes of undertaking yearly assessments along with catalog reporting. The Security Risk Self-Assessment and inventory are call for, gathered, appraisal as well as appraised by the Security Information Officer as well as subordinate Provost Officer. The assessment outcomes are also shared with the administrative as well as computing committees in the campus. Risk assessment report generates results which is updated on an annual basis and identifies control objectives, mitigation approaches, risk exposures as well as action plans aimed at dealing with risks timelines. Safety is considered before any project kick off at the institution. Additionally, control review is performed before implementing computer systems that handle or store protected information. This entails security assessment to make sure that apt measures are instituted and are operational. Contingency plan which includes data recovery strategy, risk assessment which includes review for legal, regulatory and policy compliance and review of continuous production procedures that include integrity check and change controls. Fraud, crime and violations According to Calpoy’s Information Security Program third parties accessing the institution’s network resources must comply with Cal Poly’s information security guiding principle as well as values. Risk appraisal is supposed to be determined so that particular implications as well as control requirements for services offered. Service providers, third parties, can be granted access to the institution information asset that contains restricted data as explained in institution’s Information Classification when there is call for for third party to undertake an authorized responsibility. The access is authorized through a designated Information Authority list. Through such approaches information or data in the institutions system cannot be accessed by anyone else and this helps in preventing fraud, violations and crime in the institution. To ensure that the system is fraud-free third parties are not given right of entry to campus levels of information resources as illustrated in Information Classification as well as Handling Standard in anticipation of right to use is granted, agreement/ contract is signed defining terms of access, as well as appropriate security controls are implemented and Cal Poly’s confidentiality-security agreement is signed. These controls help in ensuring that the fraudsters are kept at bay from the system since the conditions are very strict and it is intricate for all and sundry to gain pertinent information regarding the institution or student. Information Security guiding principle necessitates that the institution should safeguard its network property and information technology to guarantee integrity, and confidentiality. IS Vulnerabilities and threats According to Calpoly’s Guidelines, security cases that involve mutilation, misuse or loss of network resources or inappropriate distribution of secured data, irrespective of the medium it should be recounted and reconnoitered so that adversative effects can be mitigated, safeguard the institution from such occurrences as well as conform to the current laws as well as policies. Security issues are accomplished by Information Security Management Team and are re-counted to this email abuse@calpoly.edu. This group develops as well as maintains event reaction sequencer so that all security cases are quickly reported, reconnoitered, decided through a method which reestablishes processes promptly and when requisite, maintain proof so that there can be further legal, law enforcement or disciplinary actions. The institution’s occurrence reaction policy is revised semi-yearly as well as improved as required so that it can comply with all the applicable laws and institution’s standards and policies. Its incident response program incorporates various standards and practices, for instance, incident discovery as well as reporting protocols, security incident response team, containment strategies which avoid further loss or disruption, classification and identification of incidents based on severity and type of threat. Network security Unswerving with the Calpoy’s Information Security Guidelines, physical areas that have protected data are situated are secured from unofficial entry. Physical capacities entails office areas, data hubs, as well as other localities. Information assets that have contact with secured data are situated in private and open access extents are safeguarded to limit access, which can lead to tampering, theft or destruction. Information Authorities appraisal as well as document access right to the institution’s restricted-access zones on an annual basis. Cal Poly treats security incidents as private. Information Technology Services personnel prepare reports that documents types as well as number of occurrences, projected cost, time, as well as other information that may be necessary. The report is revised trimestral with the Information Security Management team and it is included in an annual report which is organized by the Information Security Officer. Unswerving with Cal Poly’s Information Security Policies, the Information Security Policy as well as Information Resources Accountable Use Procedure develops strategy and develops expectations for guarding Cal Poly network resources. They are buttressed by associated standards, guidelines, strategies as well as practices to enhance amenableness. Internal control and compliance The Cal Poly’s information Security Policies should have meticulous access to the institution’s information assets as well as supervision for: separating individuals’ duties with access to information assets, granting access to information assets, appraisals of contact privileges to the information assets as well as varying user rights to access information assets. Right to use information has two levels, level 1 and 2. There is separation of duties in the network system. Information Authorities uphold apt glassy of duty split-up when allotting identifications to persons with right to use information assets that has safeguarded information or data. Information Authorities duck issuance of credential which allows more access to information assets that what is necessary according to an employee job duty (Cal Poly 14). Works Cited Cal Poly. Cal Poly: Information Security Program. Retrieved from http://security.calpoly.edu/docs/policy/isp.pdf Read More